Thank you for this. My host recommended this plugin to me after my server was brought to its knees for the billionth time. I was using the limit-login-attempts plugin, and it worked for a while, until the botnet adapted and started using hundreds of a different IPS only a few times instead of a few IPS many times.
My only concern is that because I work remotely (from coffee shops, etc.) often, if I get locked out of my site when I am not on a whitelisted IP it's kind of a problem. I hope that captcha support is coming soon.